ThreatSTOP Blog

ThreatSTOP Free Open Source Analysis Tools Series. Part 7: Analyzing APT 10 Use Case

Written by Ofir Ashman | September 17, 2019

In April of this year, activity by the Chinese cyber espionage group APT10 was recognized by enSilo. This new campaign boasted previously undiscovered variants of malware and payloads showing many similarities to APT10’s previous campaigns. PlugX, a modular malware spotted in the campaign, is developed by the espionage group themselves and has been widely used in the past for targeted attacks against government and private organizations.

 

In enSilo’s report, 6 out of the 7 domains posted in their Indicators of Compromise section were typosquat domains. The ThreatSTOP Security Team decided to take a closer look at these malicious domains.

In this use case, we will show how our analysis team used free open-source analysis tools mentioned in previous posts to analyze APT10 campaign domains.

 

Right off the bat, our team noticed some suspicious resolve activity, with the domains appearing for short periods of time and then disappearing off the radar for a while during their first month of activity. After this bout of suspicious resolves, the typosquat domains proceeded to shift to a different set of IPs not mentioned in the report.

 

 

For example, the IP 34[.]80[.]150[.]70 started hosting many of the sighted Kaspersky and Microsoft typosquats shortly after the report was published. A closer look at the IP shows a number of subdomains that also did not appear in the report, as well as a new typosquat domains – microsofts[.]info and miscrosofts[.]com.

 

 

Using RiskIQ’s Passivetotal subdomain view, our team was able to easily view all previously uncovered subdomains of these obviously malicious domains.

 

Using a few simple tools, our team grew 6 domains related to the new APT10 campaign in to a list of over 25 suspicious domains, which are very likely related to the campaign.

 

Want to hear more about the tools and platforms mentioned in this use case? Check out our previous posts in this series:

Part 1: Why use IOCs?

Part 2: Threat Exchanges and IOC Sharing

Part 3: Analyzing Threat Infrastructure

Part 4: Enrichments and Connecting the Dots

Part 5: Emotet Banking Trojan Use Case

Part 6: Guildma Information Stealer Use Case

 

Want to see more IOC analysis use cases?

Check out recent analyses posted by our Security Research Team, using similar analysis concepts: Riltok Mobile Banking Trojan Analysis, Roaming Mantis Cryptomining Malware Analysis.

 

If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?